Skip to content

Security hardening #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lisajulia wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Security hardening #125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bcd0e71
Add blackduck and codeql scans
lisajulia May 12, 2026
02e4ade
Update mvn version
lisajulia May 12, 2026
6e1aee8
Clean up config.yml and scan-with-blackduck/action.yml
lisajulia May 26, 2026
214d5f9
Change action call to org/repo/path/to/file@main
lisajulia May 26, 2026
812dfa7
Remove unused env
lisajulia May 26, 2026
e6236c4
Fixes + merge main
lisajulia May 26, 2026
38de334
Use workflows from https://github.com/cap-java/.github
lisajulia Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 0 additions & 71 deletions .github/actions/deploy-release/action.yml
View file
Open in desktop

This file was deleted.

54 changes: 0 additions & 54 deletions .github/actions/scan-with-blackduck/action.yaml
View file
Open in desktop

This file was deleted.

48 changes: 0 additions & 48 deletions .github/actions/scan-with-sonar/action.yaml
View file
Open in desktop

This file was deleted.

66 changes: 46 additions & 20 deletions .github/workflows/main-build-and-deploy-oss.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,51 @@ name: Deploy to Maven Central

env:
JAVA_VERSION: '17'
MAVEN_VERSION: '3.6.3'
MAVEN_VERSION: '3.9.15'

on:
release:
types: [ "released" ]

jobs:
#blackduck:
# name: Blackduck Scan
# runs-on: ubuntu-latest
# timeout-minutes: 15
# steps:
# - name: Checkout
# uses: actions/checkout@v6
# - name: Scan With Black Duck
# uses: ./.github/actions/scan-with-blackduck
# with:
# blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
# github_token: ${{ secrets.GITHUB_TOKEN }}
# maven-version: ${{ env.MAVEN_VERSION }}
blackduck:
name: Blackduck Scan
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Scan With Black Duck
uses: cap-java/.github/actions/scan-with-blackduck@main
with:
blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
maven-version: ${{ env.MAVEN_VERSION }}
project-name: com.sap.cds.feature.auditlog-ng
included-modules: cds-feature-auditlog-ng
scan_mode: FULL
codeql:
name: CodeQL Scan
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: read
actions: read
security-events: write
packages: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Scan With CodeQL
continue-on-error: true
uses: cap-java/.github/actions/scan-with-codeql@main
with:
maven-version: ${{ env.MAVEN_VERSION }}
java-version: ${{ env.JAVA_VERSION }}
language: java-kotlin
queries: security-extended

# update-version:
# name: Update Version
Expand All @@ -43,6 +68,7 @@ jobs:
# path: .
# include-hidden-files: true
# retention-days: 1

requires-approval:
runs-on: ubuntu-latest
name: "Waiting for release approval"
Expand All @@ -66,12 +92,12 @@ jobs:
- name: Checkout
uses: actions/checkout@v6
- name: Build
uses: ./.github/actions/build
uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main
with:
java-version: ${{ env.JAVA_VERSION }}
maven-version: ${{ env.MAVEN_VERSION }}
#- name: Sonar Scan
# uses: ./.github/actions/scan-with-sonar
# uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main
# with:
# java-version: ${{ env.JAVA_VERSION }}
# maven-version: ${{ env.MAVEN_VERSION }}
Expand All @@ -97,13 +123,13 @@ jobs:
with:
name: root-build
- name: Deploy
uses: ./.github/actions/deploy-release
uses: cap-java/.github/actions/deploy-release@main
with:
user: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_USER }}
password: ${{ secrets.CAP_JAVA_CDS_FEATURE_AUDITLOG_NG_PASS }}
pgp-pub-key: ${{ secrets.PGP_PUBKEY_ID }}
pgp-private-key: ${{ secrets.PGP_PRIVATE_KEY }}
pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }}
gpg-pub-key: ${{ secrets.PGP_PUBKEY_ID }}
gpg-private-key: ${{ secrets.PGP_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.PGP_PASSPHRASE }}
revision: ${{ github.event.release.tag_name }}
maven-version: ${{ env.MAVEN_VERSION }}
- name: Echo Status
Expand Down
58 changes: 42 additions & 16 deletions .github/workflows/main-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Main build and deploy

env:
JAVA_VERSION: '17'
MAVEN_VERSION: '3.6.3'
MAVEN_VERSION: '3.9.15'

on:
push:
Expand All @@ -20,33 +20,59 @@ jobs:
uses: actions/checkout@v6

- name: Build
uses: ./.github/actions/build
uses: cap-java/cds-feature-auditlog-ng/.github/actions/build@main
with:
java-version: ${{ matrix.java-version }}
maven-version: ${{ env.MAVEN_VERSION }}

#- name: SonarQube Scan
# uses: ./.github/actions/scan-with-sonar
# uses: cap-java/cds-feature-auditlog-ng/.github/actions/scan-with-sonar@main
# if: ${{ matrix.java-version == 17 }}
# with:
# java-version: ${{ matrix.java-version }}
# maven-version: ${{ env.MAVEN_VERSION }}
# sonarq-token: ${{ secrets.SONARQ_TOKEN }}
# github-token: ${{ secrets.GITHUB_TOKEN }}

# scan:
# name: Blackduck Scan
# runs-on: ubuntu-latest
# timeout-minutes: 15
# steps:
# - name: Checkout
# uses: actions/checkout@v6
# - name: Scan
# uses: ./.github/actions/scan-with-blackduck
# with:
# blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
# github_token: ${{ secrets.GITHUB_TOKEN }}
# maven-version: ${{ env.MAVEN_VERSION }}
blackduck:
name: Blackduck Scan
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Scan With Black Duck
uses: cap-java/.github/actions/scan-with-blackduck@main
with:
blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
maven-version: ${{ env.MAVEN_VERSION }}
project-name: com.sap.cds.feature.auditlog-ng
included-modules: cds-feature-auditlog-ng
scan_mode: FULL
codeql:
name: CodeQL Scan
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: read
actions: read
security-events: write
packages: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Scan With CodeQL
continue-on-error: true
uses: cap-java/.github/actions/scan-with-codeql@main
with:
maven-version: ${{ env.MAVEN_VERSION }}
java-version: ${{ env.JAVA_VERSION }}
language: java-kotlin
queries: security-extended

deploy-snapshot:
name: Deploy snapshot to Artifactory
Expand Down
Loading
Loading